🛡️ Google Cloud MySQL Instance Local_infile Database Flag is not set to off🟢

• Contextual name: 🛡️ MySQL Instance Local_infile Database Flag is not set to off🟢
• ID: /ce/ca/google/sql/mysql-instance-local-infile-flag
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Disable 'local_infile' Flag for MySQL Database Instances

Description

Open File

Description

It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.

Rationale

The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.

To explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled. local_infile can also be set at runtime.

Due to security issues associated with the local_infile flag, it is recommended to disable it. This recommendation is applicable to MySQL database instances.

Impact

Disabling local_infile makes the server refuse local data loading by clients that have LOCAL enabled on the client side.

Audit

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the MySQL instance where the database flag needs to be enabled.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add a Database Flag, choose the flag local_infile from the drop-down menu, and set its value to off.
6. Click Save.
7. Confirm the changes under Flags on the Overview page.

From Google Cloud CLI

1. List all Cloud SQL database instances using the following command:

        gcloud sql instances list

2. Configure the local_infile database flag for every Cloud SQL Mysql database instance using the below command:

        gcloud sql instances patch <INSTANCE_NAME> --database-flags local_infile=off

Note: This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.1.3 Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.1.3 Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.1.3 Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data
💼 FedRAMP High Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)	2		12		no data
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33		no data
💼 FedRAMP Low Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)			11		no data
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)	1		12		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33		no data
💼 ISO/IEC 27001:2022 → 💼 8.8 Management of technical vulnerabilities		8	10		no data
💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)		4	26		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-6 Configuration Settings	4		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-7 Least Functionality	9		23		no data
💼 PCI DSS v3.2.1 → 💼 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.	5	3	32		no data
💼 PCI DSS v4.0.1 → 💼 2.2.1 Configuration standards are developed, implemented, and maintained.			13		no data
💼 PCI DSS v4.0 → 💼 2.2.1 Configuration standards are developed, implemented, and maintained.			13		no data